33
Over the last decade or so, most financial institutions will have
made significant investment in risk management systems in
response to regulatory requirements and as a result of operating
in increasingly complex global business environments.
However, systems alone a re simply not enough. The human
factor is critical in effectively managing risk.
Most sophisticated risk management systems need to be
customised, configured and fine-tuned to monitor risk effectively,
thus requiring considerable input from people that have the
knowledge, skills and experience of the operating environment
and who truly understand the risks that their business faces.
As many risk systems are business-rule driven and
calibrated by experts based on thresholds and scores, the
resulting 'alerts' need to be evaluated by experts. They must
analyse contributing factors and apply judgment-based
decisions to determine whether the alert is a 'false positive' or
requires investigation.
Trained investigators then need to examine a wide range
of factors including the frequency of alert occurrences and
re-occurences, the volume and value of the contributing
transactions, the parties and accounts involved in the
transaction(s), the timeframe over which the transactions were
conducted, the instruments used to facilitate the transaction(s)
and many other factors to arrive at a decision.
Risk systems are ultimately only as effective as the people
that design and operate them, so I don't expect humans will
become redundant in the GRC space anytime soon.
Using software increases transparency, consistency and
efficiency by taking a process-driven approach to GRC to
resolve incidents quickly with a full audit trail demonstrating
your cor rective a nd preventive actions.
Software customised to AFSL/ACL obligations and
combining audit-proof workflows with industr y experience,
can assist organisations with efficiently assessing situations.
Using documented processes lets you confidently meet your
licence obligations while efficiently managing risks. Having a
system to manage your regulatory and commercial concerns
and their related actions, is crucial to robust management.
Manually managing risks rarely ensures risk prevention.
Software can put all your data concerning risk assessments,
control-testing and audits in a single database to ensure consistency
with reporting and real-time snapshots of your risk status.
GRC is all about balancing commercial success with risk
appetite. You can build a system to identify/manage all risks
but that comes at a price -- profitability. Setting up automatic
control alerts is one way a system can efficiently and effectively
a ssist you.
However, technology possesses no consciousness. It can
outperform humans in capacity but doesn't have the human
intelligence to pick-up human emotions during auditing, ask
questions, seek answers to those questions, and expand on what
we learn from the answers. In this way the human element
cannot be eliminated. Similarly, technology can't replace
auditors or the evaluative review process. •••
ANTHONY QUINN, FINANCIAL CRIMES
CONSULTING
Risk systems
are ultimately
only as
effective as
the people that
design and
operate them.
'
CHEYENNE WALKER, HEAD OF RISK AND
PROFESSIONAL STANDARDS, ADVICENET PTY LTD
'
Manually
managing
risks rarely
ensures risk
prevention.